Confidentiality of Medical Records: A Situation Analysis and AHIMA's Position

Every American, from the beginning of life to its end, enjoys a fundamental, but not absolute, right to privacy that is deeply rooted in both tradition and law. In no area is this right more cherished, or more unsettled, than in protecting the confidentiality of identifiable personal health information, as lawmakers, judges, and healthcare professionals struggle to balance individual privacy interests against other strong societal interests.

The Hippocratic Oath, dating to the fourth or fifth century B.C., requires physicians to keep secret all knowledge of individual patients "which ought not to be spread abroad."1 In the modern world, however, the reality is that health information by more than just patient and physician.

Personal health information is maintained not only by physicians but also in the records and/or databases of hospitals and clinics that provide treatment or diagnostic services, laboratories that perform tests, pharmacies, and insurance companies and managed care organizations to which claims are submitted or coverage is made. In addition, personal health data frequently is shared with universities and pharmaceutical companies for medical and health-services research purposes.

Certain medical information, by law, also must be reported to state and local governments, where it is maintained in databases. For instance, U.S. jurisdictions typically require the reporting of venereal disease to public health agencies, of child abuse to child welfare agencies, and of injuries caused by firearms to law enforcement agencies.2

The flow of medical information carries numerous personal and societal benefits. The ability to access medical records has saved the lives of unconscious patients brought into hospital emergency rooms. Pharmacists have detected dangerous, sometimes potentially lethal, drug combinations. In the public health arena, computerized records have made possible the prompt detection of infectious disease epidemics and enabled health authorities to take emergency action. Researchers have used databases to analyze the causes of illnesses, a process that, for instance, established the connection between smoking and lung cancer.

On the other hand, the vast accumulations of personal medical data give rise to serious privacy concerns as a result of the potential for misuse. As a national magazine recently noted:

[I]t's hard to keep a secret if more than a couple of people are in on it; in a typical five-day stay at a teaching hospital, as many as 150 people -- from nursing staff to X-ray technicians to billing clerks -- have legitimate access to a single patient's records.3

Breaches of confidentiality, in fact, have been widespread, if not ubiquitous. In some instances, breaches occur within the parameters of present law: Pharmacies in some states legally sell individual prescription records to pharmaceutical companies for use in marketing campaigns.4 A San Francisco mailing list broker, in fact, sells the names of some 75,000 women who suffer yeast infections and another 65,000 who suffer incontinence or bladder-control problems for $130 per thousand names.5

Other breaches have been illegal: The medical records of a candidate for Congress, indicating that she once had attempted suicide, were sent to the New York Post on the eve of her primary election.6 A Colorado medical student sold patient records to lawyers soliciting malpractice plaintiffs.7 A public health worker in Florida carelessly leaked the names of 4,000 HIV-positive patients to two newspapers.8

The collateral social consequences of improper or illegal dissemination of personal health information are far more devastating than solicitations from drug companies and malpractice lawyers. They include the denial of such basic social rights as employment, insurance, healthcare, housing, and education. The consequences of HIV/AIDS stigmatization have been particularly catastrophic.

As genetic testing becomes more common and as the potential dangers lurking in DNA become better understood, the danger of illegal discrimination against persons at risk of developing serious conditions is likely to increase. A recent article in the Journal of the American Medical Association advised:

Participants in genetic testing should be informed that the genetic testing for cancer susceptibility may limit their ability to obtain health, life, or disability insurance; may lead to limitations in health insurance coverage; or may result in higher premiums for insurance products. Participants also should be informed that genetic testing may pose a risk to their present or future employment.9

The confidentiality of personal health information, thus, is an issue that profoundly affects every American, and the fundamental question, to quote U.S. department of Health and Human Services Secretary Donna E. Shalala, PhD, is: "Will our health records be used to heal us or reveal us?"10

In the months ahead, Congress will endeavor to meet a self-imposed deadline of August 21, 1999, to enact comprehensive standards protecting the privacy of individually identifiable health information. If Congress misses the deadline, which was established by legislation popularly known as the Kennedy-Kassebaum law,11 the Secretary of Health and Human Services is required to promulgate standards by regulation. 12

On September 11, 1997, Secretary Shalala presented recommendations for federal legislation to the Senate Committee on Labor and Human Resources and observed, in accompanying testimony:

The computer revolution means that our deepest and darkest secrets no longer exist in one place and can no longer be protected by simply locking up the office doors each night.

And, revolutions in biology mean that a whole new world of genetic tests have the potential to help either prevent disease or reveal our families' most personal secrets. Because without safeguards that assure citizens that getting tested won't endanger their families' privacy or health insurance or jobs, we could, in turn, endanger one of the most promising areas of research our nation has ever seen.

We are at a decision point. Depending on what we do over the next months, these revolutions in healthcare, communications, and biology could bring us great promise or even greater peril. The choice is ours. For example, will healthcare information flow safely to improve care, cut fraud, ensure quality, and reach citizens in under-served areas? Or will it flow recklessly into the wrong hands?13

Current legal protections of the privacy of health information are fragmented and uncertain.

All 50 states provide statutory protection for personal health data maintained by public agencies, but also permit disclosure for one or more purposes, the most common of which are statistical evaluation, contact tracing of persons diagnosed to have sexually transmitted and infectious diseases, epidemiological investigations, and use in court pursuant to subpoena or court order. However, only 42 states provide either criminal or civil penalties for improper disclosure.14

On the federal level, the Privacy Act of 197415 provides limited protection against the disclosure by the government of individual health records maintained by government agencies, such as the Veterans Administration and the Department of Defense. But the act contains a "routine use" exception that privacy advocates complain guts the protection. 16 The Americans with Disabilities Act of 1990 prohibits discrimination on the basis of a disability, including HIV or AIDS, but does not directly protect privacy; rather it only provides a remedy for discrimination based on breaches of confidentiality.17

The U. S. Supreme Court, in 1977 in its only major encounter with the constitutional risks arising from the storage of health information in government data banks, unanimously recognized a qualified constitutional right to privacy of personal information that could reflect unfavorably on an individual.18 However, at the same time, the unanimous court upheld the constitutionality of a New York statute requiring physicians to forward to the State Health Department the name, age, and address of every patient obtaining certain dangerous, yet legitimate, drugs.19

Of course, the constitutional protection of private information, such as it is, applies only to violations by the government -- not by private parties, who sometimes are responsible for the most intrusive invasions of privacy.

The majority of states protects privately held medical information to at least some extent. Thirty-six states impose a general duty upon physicians to maintain patient confidentiality, and 26 of those extend that duty to other healthcare providers. However, only four states have legislation specifically extending the duty to insurers, and only nine impose restrictions on employers.20 This patchwork of state and federal laws obviously falls far short of providing consistent, comprehensive protection of the privacy of health information nationwide.

Aside from legal shortcomings, first, in regulating what information is available to whom and for what purposes and, second, in protecting the security of databases containing personal health information, there also is no standard legal mechanism allowing consumers to verify the accuracy of their personal health information.

Accuracy is a huge issue. The Massachusetts-based Medical Information Bureau, for example, a clearinghouse for some 750 insurers, has acknowledged that as many as 3.5 percent of its approximately 15 million individual files contain inaccurate information. Because the information relates to life expectancy -- blood pressure, weight, and cholesterol level -- and is used by the insurers for underwriting purposes, inaccuracies may result in a decision to deny coverage or charge higher rates.21

Yet, until the insurance industry reached a voluntary agreement with the Federal Trade Commission in 1995 to inform applicants when a report plays a role in the denial or rating of insurance, few consumers knew that such reports existed. Those who might have known could not find out what their reports said. Under the agreement, applicants receive notices that they are entitled to a free copy of their reports and have30 days to request and verify that the information is correct.22

Employers, however, have no obligation to inform present or prospective employees when medical information is used in making employment decisions. Because most Fortune 500 companies are self-insured and, therefore, have access to employees' prescription and other health records, unreliable data may have serious consequences, but there presently is no mechanism to allow employees or job applicants to review or correct the information.

To address the various health privacy issues, the department of Health and Human Services has developed proposed standards for the consideration of Congress as it endeavors to meet the 1999 deadline set by the Kennedy-Kassebaum law -- proposals designed, in the words of Secretary Shalala, to "strike a balance between the privacy needs of our citizens and the critical needs of our healthcare system."23

The proposed standards embody five principles that the American Health Information Management Association (AHIMA), a professional association representing 38,000 health information management professionals, believes "comprise the exact formula necessary to protect the privacy of Americans [and] place the needs of individuals ahead of powerful commercial interests that use health information for purposes well outside the boundaries of patient care."24

The first principle set forth by Secretary Shalala is that "With very few exceptions, healthcare information about a consumer should be disclosed for health purposes and health purposes only. It should be easy to use it for those purposes, and very difficult to use it for other purposes."

In this regard, Secretary Shalala said, the legislation must include requirements that persons who legally receive individual health information take "real and reasonable steps" to safeguard it, ensuring that it is not used improperly by those who have access to it and is not obtained by "hackers or others on the outside." The steps, she added, should include administrative and management techniques, education of employees, and disciplinary sanctions against those who use individual health information improperly.

The second principle is that the legislation must contain technical security safeguards for computerized data. These would include audit trails showing who accessed data, facilitating the identification of, and thereby the prosecution or other appropriate action against, anyone who may have used health records for illegal or improper purposes.

The third principle is consumer access, an area in which state laws also are inconsistent. All patients should be able to access to their medical records. They also should be able to find out who has access to them, and how to inspect, copy, and, if necessary, correct them. Patients also should have access to information about the laws, regulations, or policies that protect their information. In her testimony before the Senate Committee on Labor and Human Resources, Secretary Shalala cited the example of a California woman who was denied disability and life insurance. The woman discovered that the Medical Information Bureau had provided her prospective insurers with information falsely indicating she suffered heart problems and Alzheimer's disease. "What if she hadn't requested her records?" the Secretary asked rhetorically.

The fourth principle is accountability, which is closely linked with security and consumer control. Secretary Shalala called for criminal penalties (fines and imprisonment) against those who breach security of personal health information, and civil remedies (actual and punitive monetary damage recoveries) for injured parties. The penalties, said the Secretary, should be higher when violations are committed for monetary gain.

The fifth and final principal is public responsibility. In other words, the legislation must balance personal privacy interests against the national priorities of public health, research, and law enforcement. The free flow of information, without patient authorization, is essential to the prompt discovery, investigation, and intervention in public health crises, such as the recent outbreak of e. coli in ground beef that resulted in the largest recall of meat products in history.25 Patient consent should not be required for the dissemination of personal health information for research purposes, provided that the disclosures will not adversely affect the rights or welfare of the patients and that the research would not be practical if consent were required.

The principles outlined by Health and Human Services, of course, are but a broad outline of a sensible public policy that, if codified, would reasonably balance personal privacy interests and other important societal interests.

Why All Types of Healthcare Should Be Treated the Same

Because the misuse of any individually identifiable medical information is potentially destructive to the health and well-being of patients -- sometimes leading to discrimination in employment, insurance, and healthcare -- the American Health Information Management Association (AHIMA) strongly believes that federal legislation must protect all types of information equally.

As destructive as the unauthorized dissemination of genetic, psychiatric, or HIV/AIDS information may be, for instance, the danger is no greater than that relating to many other chronic conditions, such as heart disease or cancer. Restricting the legitimate use of any type of individual health data, however, could thwart one of the principle purposes for which it is gathered -- research in pursuit of more effective cures.

Thus, AHIMA believes that creating special categories of healthcare information ultimately would be more dangerous than beneficial.

The remaining task for Congress, or for the department of Health and Human Services, should Congress fail to act before the Kennedy-Kassebaum deadline, is to resolve such issues as whether national privacy standards should preempt existing state legislation and whether genetic information should be treated differently than other personal health information for research purposes.

AHIMA is on record in support of federal preemptive health information confidentiality legislation that protects all types of health information equally.26

State laws, as previously noted, are far from uniform. Protections regarding the redisclosure of health information vary, depending on the type of information and who holds it. Several years ago, the National Conference of Commissioners on Uniform State Laws developed, with the cooperation of AHIMA, a model state law designed to stimulate uniformity among the states on healthcare information management issues. However, to date, only two states, Montana and Washington, have enacted the model legislation.27

Modern realities, including the movement of patients and their healthcare information across state lines, the exchange of such information through automated databases, and the emergence of multi-state providers, simply render anything less than federal standards impractical. The resolution of these issues and others, in the context of the five principles advocated by the department of Health and Human Services, will result in a comprehensive national standard that will at once enhance individual privacy, foster research, and protect the public health.

AHIMA's Interest in Healthcare Privacy

Since its founding in 1928, the American Health Information Management Association (AHIMA) has worked to protect the confidentiality of individually identifiable health information.

AHIMA's 38,000 members are specialists who manage patient records throughout the United States, handling millions of requests annually for individual healthcare records from, among others, insurance companies, employers, researchers, lawyers, and federal, state, and local agencies.

Guided by the principle that confidentiality is essential in fostering trust between patients and healthcare providers, AHIMA members are committed to ensuring that patient records are disclosed only pursuant to informed consent or pursuant law -- a task that is complicated by the lack of uniform national guidelines governing healthcare privacy.

In view of the facts that healthcare providers and payers operate across state lines, that healthcare information is maintained in databases accessible from any location, and that patients routinely move from state to state, AHIMA believes there is a critical need for federal legislation preempting current state laws, which are inconsistent and sometimes conflicting.

AHIMA is committed to fair and reasonable healthcare information practices embodying these principles:

Patient's right to know -- Each patient, directly or through a representative, must have the right to know by whom and for what purpose his or her healthcare information is maintained.

Restrictions on collection -- Individual healthcare information must be collected only for legitimate purposes, such as medical research, enhancing public health, and combating fraud.

Use of information -- Healthcare information must be used only for necessary and lawful purposes.

Notification -- Any entity maintaining healthcare information must prepare and make available to patients upon request a written statement outlining its information practices.

Restriction -- Healthcare information must not be used for purposes other than those for which it is collected, except as provided by law.

Patient access -- Each patient, directly or through a representative, must have access to his or her healthcare information and the right to amend or correct it.

Penalties -- Both criminal and civil penalties must be provided for persons who violate privacy laws and regulations.

Computer Records Are as Safe as Paper Records

Based on the day-to-day experience of its 38,000 members -- professionals who handle millions of individual healthcare records each year -- the American Health Information Management Association (AHIMA) believes that computer-based medical records need not compromise patients' privacy.

Because computerized records hold tremendous promise for improving healthcare both for individuals and the general population, it would be folly to unnecessarily limit their potential for facilitating the development of new cures for chronic diseases and the prompt identification of dangers to the public health.

However, in AHIMA's view, it is essential that standards be established by federal law to guard against both the accidental and intentional misuse of personal health data, whether maintained by the government or the private sector. These must include data-security measures limiting access to only persons and entities with clearly defined and legitimate purposes for receiving it, mandatory education for all who gather or use individual healthcare information, stringent criminal and civil penalties for anyone who violates the standards, and reasonable patient access to their own records.